FUJ00002254
FUJ00002254
Audit Trail Functional Specification
Fe)
FUJITSU
Commercial in Confidence
Document Title: Audit Trail Functional Specification
Document Reference: CR/FSP/006
Release: Release Independent
Abstract: This document provides a specification of the Operational and
Commercial Audit Trails.
Document Status: APPROVED
Author & Dept: Sarah Selwyn and Quality Manager
External Distribution: POL Approvers
Security Risk YES. See section 0.9, Security Risk Assessment.
Assessment Confirmed
Approval Authorities:
Name Role Date
Amit Apte Fujitsu CTO See Dimensions for record
Peter Stanley POL Chief Architect See Dimensions for record
See HNG-X Reviewers/Approvers Matrix (PGM/DCM/ION/0001) for guidance on who should approve.
© Copyright Fujitsu Services Commercial in Confidence Ref: CR/FSP/006
Limited 2010
Version. 12.0
UNCONTROLLED IF PRINTED OR LOCALLY Date: 08-Oct-2010
STORED PageNo: 1 of 23
FUJ00002254
FUJ00002254
Audit Trail Functional Specification
he)
FUJITSU Commercial in Confidence
0 Document Control
0.1 Table of Contents
0 DOCUMENT CONTROL.
0.1 Table of Contents.
0.2 Document History.
0.3 Review Details.
0.4 Associated Documents (Internal & External
0.5 Abbreviations.
0.6 Glossary.
0.7. Changes Expected.
0.8 Accuracy.
0.9 Security
isk Assessmen'
INTRODUCTION
Auditor’s Eye View.
a3
=
aoaaansnaabianwis
1
2 The Total Mainstream Horizon Solution.
3. The Horizon Service... settee
4 Other Post Office Ltd Clients...
Audit Trail Responsibilities and Usage..
1 Responsibilities...
2 Principals, Agents and Rights of Access.
3
4
5
6
7
Access controls....
Post Office Ltd Usage....
Post Office Ltd Client Usage. 15
Audit trail formats...
Audit trail retention periods.
2 THE AUDIT TRACKS....
2.1 Post Office Ltd Horizon Service Audit Track...
FIGURE D: THE POST OFFICE LTD HORIZON SERVICE TRACK
2.1.1 Post Office Ltd Horizon Service Track Content And Maintenance...
2.1.2 Audit Access to the Post Office Ltd Horizon Service Track.
2.1.3 Auditor Utilities...
2.2 Systems Management Trac!
2.2.1 Systems Management Track Content and Maintenance.
2.2.2 Audit Access to the Systems Management Track.
3 THE COMMERCIAL AUDIT TRAIL...
3.1. Magnetic Records.....
3.1.1 Business Incident Management System (BIMS:
3.2 I Manual Record: 20
© Copyright Fujitsu Services Commercial in Confidence Ref: CRIFSP/006
Limited 2010
Version. 12.0
UNCONTROLLED IF PRINTED OR LOCALLY Date: 08-Oct-2010
STORED PageNo: 2 of 23
FUJ00002254
FUJ00002254
Audit Trail Functional Specification
fee)
FUJITSU Commercial in Confidence
3.2.1 Included Items.
3.2.2 Excluded Items.
3.2.3 Caveats.
© Copyright Fujitsu Services ‘Commercial in Confidence Ref: CR/FSP/006
Limited 2010
Version. 12.0
UNCONTROLLED IF PRINTED OR LOCALLY Date: 08-Oct-2010
STORED PageNo: 3of 23
Fe)
FUJITSU
Audit Trail Functional Specification
Commercial in Confidence
FUJ00002254
FUJ00002254
0.2 Document History
Version No. Date Summary of Changes and Reason for Issue Associated Change
CP/PEAK/PPRR
Reference
1.0 17/9/96 Externally published N/A
1.4 8/10/96 Revised for BA Audit and Pathway comments N/A
1.2 31/1/97 Revised for POCL comments and for review N/A
towards a definitive version 2.0.
2.0 19/2/97 Revised for further comments. Definitive N/A
2.1 19/5/97 Revised for further comments from DSS, N/A
alignment with Access Control Policy Version 1.0,
and for review towards a further definitive version
3.0
2.2 8/9/97 Revised in response to implementation questions I N/A
and further comments from DSS/POCL. Further
review towards a further definitive version 3.0
2.3 20/10/97 Revised for comments received during N/A
Acceptance Specification discussions and
implementation progress
2.4 5/2/99 Revised to extend definition to Commercial Audit I N/A
Trail and to address Horizon comments dated
1/12/98.
2.5 9/3/99 Further comments received 23/2/99 N/A
2.6 9/4/99 Changes agreed at Acceptance Review 30/3/99 N/A
2.7 26/4/99 Changes agreed at post Acceptance Review Audit I N/A
Panel meeting 22/4/99
2.8 09/06/99 Removing references to DSS/BA following their N/A
withdrawal from the contract
2.9 24/06/99 Following comments received from POIA. N/A
3.0 01/07/99 Raised to definitive. 3 CCN 423
3.1 10/11/99 Insertion of previously missing commercial audit N/A
trail details following DSS/BA withdrawal from
contract
4.0 Raised to definitive. CCN. No CCN submitted; N/A
overtaken by CSR+ definition.
44 10/04/00 Introduction of Logistics Feeder Service (LFS), N/A
Change of name — RED :> BIMS
42 21/07/00 Reviewed by Brian Mooney. Document N/A
references updated
© Copyright Fujitsu Services Commercial in Confidence Ref: CRIFSP/006
Limited 2010
Version: 12.0
UNCONTROLLED IF PRINTED OR LOCALLY __ Date: 08-Oct-2010
STORED PageNo: 4 of 23
fee)
FUJITSU
Audit Trail Functional Specification
Commercial in Confidence
FUJ00002254
FUJ00002254
5.0 15/01/01 Raised to Approved N/A
5.1 25/01/02 Changes to reflect Network Banking, EFTPOS. N/A
and decommissioning of HAPS
5.2 12/02/02 Following internal review cycle N/A
5.3 25/02/02 Following review comments from Post Office Ltd I N/A
6.0 25/02/02 Raised to Approved. CCN 929
6.1 17/07/02 Introduce Centera and increase TMS Journal CP3240
retention period from 7 years to 15 years CP3268
6.2 12/09/02 Remove references to Centera
7.0 17/09/02 For Approval. CCN 1019
71 16/12/02 ReduceTMS Journal retention period from 15 CCN 1100
years to 7 years and reflect revised Schedules
7.2 23/01/04 Increase pre-BI3 TMS Journal retention period CP 3623
from 18 months to 7 years and change Pathway CCN 1122
references to Post Office Account or Horizon
depending on the context
7.3 09/02/04 Incorporating POA internal comments and for N/A
Post Office Ltd review
74 24/05/04 Incorporating Post Office Ltd review comments N/A
7.5 09/08/04 Final Post Office Ltd review comments. Updated I CP 3507
for S60 Release
8.0 18/10/04 For Approval CCN 1131
8.1 20/10/04 Updated for S70/75 Release CP 3667
CP 3368
8.2 02/11/04 Following review comments received from POA. N/A
Nil from Post Office Ltd.
9.0 22/11/04 For Approval CCN 1139
9.41 16/05/05 Updated for S80 Release cP
9.2 27/05/05 Following review comments from POA and Post N/A
Office Ltd.
9.3 29/06/05 Incorporating final comments from Rod Ismay N/A
(Post Office Ltd)
10.0 29/06/05 For Approval N/A
10.1 18/07/06 Updated for S90 Release CP 4034
11.0 04/08/06 For Approval N/A
14.41 05/08/10 HNG-X changes to section 1 and 2. CCN1200
11.2 16/08/10 Update reviewers list for internal review N/A
11.3 19/08/10 Updated following internal review. N/A
© Copyright Fujitsu Services ‘Commercial in Confidence Ref: CRIFSP/006
Limited 2010
Version: 12.0
UNCONTROLLED IF PRINTED OR LOCALLY __ Date: 08-Oct-2010
STORED PageNo: 5 of 23
FUJ00002254
FUJ00002254
Audit Trail Functional Specification
Fe)
FUJITSU
Commercial in Confidence
11.4 24/08/10 Correction to security classification N/A
11.5 07/10/10 Transferred to new template. Corrections to 0.4, NIA
0.5
11.6 08/10/10 Revision of 3.2.3 bullet 2. N/A
12.0 08/10/10 Approval version N/A
0.3 Review Details
See HNG-X Reviewers/Approvers Matrix (PGM/DCM/ION/0001) for guidance on completing the lists below. You
may include additional reviewers if necessary, but you should generally not exclude any of the mandatory
reviewers shown in the matrix for the document type you are authoring.
Review Comments by
(date by which comments should be returned)
Review Comments to
Mandatory Review
Sarah Selwyn
Role Name
RMG BU CISO Tom Lillywhite
Commercial Manager Guy Wilkerson
Finance Manager Pippa Cow
Host Design
Roger Barnes
Post Office Ltd Internal Audit
Paul Gardner
Post Office Ltd Internal Audit
Mark Weaver / Antonio Jamasb
Post Office Ltd Finance
Rod Ismay (*v9.1)
Optional Review
Role Name
Development Manager Graham Allen
CTO Amit Apte
Acceptance Manager David Cooke
R1 Release Manager
Mark Andrews
Issued for Information
distribution list to a minimum
Position/Role
Please restrict this
Name
(*) = Reviewers that returned comments
© Copyright Fujitsu Services
Limited 2010
Commercial in Confidence
UNCONTROLLED IF PRINTED OR LOCALLY
STORED
Ref:
Version:
Date:
Page No:
CR/FSP/006
12.0
08-Oct-2010
6 of 23
FUJ00002254
FUJ00002254
(oe) Audit Trail Functional Specification
FUJITSU Commercial in Confidence
0.4 Associated Documents (Internal & External)
Reference Ver Date Title Source
sion
PGM/DCM/TEM/0001(DO I 5.0 I 03 June 2009 RMG BU HNG-X Generic Document I Dimensions
NOT REMOVE) Template
Schedules S1, D5, S10, S15, Post Office
$18, S19 & S22 Ltd
ARC/SEC/ARC/0003 HNG-X Technical Security Dimensions
Architecture
DES/GEN/SPE/0007 HNG-X Menu Hierarchy and Dimensions
Messages
DES/GEN/STD/0001 Host Application Database Design I Dimensions
and Interface Standards
IA/MAN/006 Horizon System Audit Manual for I PVCS
BI3
SVM/SDM/POL/0027 Access Control Policy Dimensions
SVM/SDM/POL/0027 Access Control Policy Dimensions
SVM/SDM/SD/0017 Security Management Service: Dimensions
Service Description
Unless a specific version is referred to above, reference should be made to the current approved
0.5 Abbreviations
versions of the documents.
ACD Automated Call Distribution
ADC Additional Data Capture
ADS Advanced Distribution Systems
AP Automated Payment
APS: AP Service
BA Benefits Agency
Bdc Bureau de Change
BIMS Business Incident Management System
ccD Contract Controlled Document
CCN Change Control Note
© Copyright Fujitsu Services
Limited 2010
Commercial in Confidence
UNCONTROLLED IF PRINTED OR LOCALLY
STORED
Ref: CRIFSP/006
Version. 12.0
Date: 08-Oct-2010
PageNo: 7 of 23
oo
FUJITSU
FUJ00002254
FUJ00002254
Audit Trail Functional Specification
Commercial in Confidence
cP Change Proposal
CR Change Request
cs Customer Service
cT Commercial Terms
cTSss Commercial Terms Signature Sheet
CWP. Change Work Packsge
DC Debit Card
EMV Europay Mastercard Visa
EPOS Electronic Point of Sale
EPOSS EPOSS Service
ETU Electronic Top-up
HADDIS. Host Application Database Design and Interface Standards
HSAM Horizon System Audit Manual
IM Inventory Management
ISDN Integrated Services Digital Network
LFS Logistics Feeder Service
NBE Network Banking Engine
NBS Network Banking System
NS&l National Savings and Investments.
OBC Operational Business Change
POA (Fujitsu Services) Post Office Account (aka RMG BU)
RASD Requirements Architecture and Strategy Design
RD Reference Data
RMG BU Royal Mail Group Business Unit (Fujitsu)
RWP Request Work Package
SAP Systeme, Anwendungen, Produkte in der Datenverarbeitung AG, German
software manufacturer
sli System Integration (Directorate)
SLA Service Level Agreement(s)
TES Transaction Enquiry Service
TIP Transaction Information Processing
TMS Transaction Management Service
0.6 Glossary
© Copyright Fujitsu Services
Limited 2010
‘Commercial in Confidence Ref: CRIFSP/006
Version: 12.0
UNCONTROLLED IF PRINTED OR LOCALLY Date: 08-Oct-2010
STORED PageNo: 8 of 23
FUJ00002254
FUJ00002254
Audit Trail Functional Specification
he)
FUJITSU Commercial in Confidence
Term Definition
0.7 Changes Expected
Changes
There is an outstanding issue regarding SLA credits in §3.2.1.1 that need to be resolved. This is currently
marked as a document note.
0.8 Accuracy
Not Applicable.
0.9 Security Risk Assessment
Security risks have been assessed and it is considered that there are no security risks relating
specifically to this document.
© Copyright Fujitsu Services Commercial in Confidence Ref: CR/FSP/006
Limited 2010
Version. 12.0
UNCONTROLLED IF PRINTED OR LOCALLY Date: 08-Oct-2010
STORED PageNo: 9 of 23
FUJ00002254
FUJ00002254
Audit Trail Functional Specification
he)
FUJITSU Commercial in Confidence
1
Introduction
1.1 Auditor’s Eye View
1.1.1 Scope
This functional specification defines the operational and commercial audit trails. These
are, respectively, the audit trail associated with the operation of the services which
make up the HNG-X solution and the audit trail associated with that part of Post Office
Account's internal commercial records to which Post Office Ltd’s Internal Auditors or
Agents may have access as set out in Schedule D5.
The operational audit trail includes that generated by the mainstream operational
services and the Business Incident Management System (BIMS).
At HNG-X Release 2, the mainstream operational services making up the Post Office
Ltd steady state applications are:
Automated Payment Service (APS) including Additional Data Capture (ADC) and AP
OutPay (APOP)
EPOS Service (EPOSS) including Debit Card (DC)
Logistics Feeder Service (LFS)
Network Banking Service (NBS) including NBX
National Savings and Investments (NS&l)
Smart Post
Bureau de Change (BdC) including the use of Debit & Credit Cards, Automatic
Remittance Advice and Authorisation Referrals.
Electronic Top-up (ETU)
Post Office Limited Financial Systems (POL FS)
Infrastructure Services
Transaction Enquiry Service (TES)
The BIMS provides an auxiliary audit trail that separately covers the treatment of
exceptions encountered within the mainstream operational services. The audit trail
associated with the mainstream services is never modified for the purposes of
correction as such.
This specification also addresses, in Section 3, certain elements of Schedule D5 that
relate to access by Post Office Ltd’s commercial auditors to parts of RMG BU’s own
internal records and systems. These latter requirements are met through the definition
and use of a commercial audit trial and associated audit procedure providing for access
from within RMG BU
© Copyright Fujitsu Services Commercial in Confidence Ref: CR/FSP/006
Limited 2010
Version. 12.0
UNCONTROLLED IF PRINTED OR LOCALLY Date: 08-Oct-2010
STORED PageNo: 10 of 23,
FUJ00002254
FUJ00002254
Audit Trail Functional Specification
fee)
FUJITSU Commercial in Confidence
The Counter Transaction Journal element of the operational audit trail, and other
operational support and system management elements relating to financial systems,
are retained for 7 years. The remainder of the operational audit trail, specifically data
relating to APS, TIP and LFS is retained for 18 months.
Note that although OBCS and TIP were discontinued services at S80 the audit data
generated up to the point of rolling out Horizon S80 is being retained under existing
rules.
The commercial audit trail is retained for seven years although some records are held
for the life of the contract, which may be longer than seven years.
If the technology used to hold elements of the audit trail becomes obsolete then they
will be copied to the new technology to maintain continuity of access.
1.1.2 The Total Mainstream Horizon Solution
From the standpoint of the auditor, the total mainstream solution, including both the
Horizon sub-systems and the source and sink subsystems, is shown in Figure A. The
arrows represent the subsystem interfaces at which key auditable events occur.
Horizon’s responsibilities extend to the subsystems coloured green (dark lozenge) and
the interfaces coloured blue (dark arrows).
Post Office
Lid Client
(Post Office
Lid)
Post Office Ltd
Cients
Figure A: Subsystems and principal interfaces
In addition, but not shown, are the Systems Management facilities that Horizon
employs in the course of operating the hardware and software and telecommunications
platforms themselves.
1.1.3 The Horizon Service
The Horizon counter application is a single application offering a number of services
with which the post office clerks interface:
© Copyright Fujitsu Services ‘Commercial in Confidence Ref: CR/FSP/006
Limited 2010
Version. 12.0
UNCONTROLLED IF PRINTED OR LOCALLY Date: 08-Oct-2010
STORED
PageNo: 11 of 23,
2
FUJITSU
Commercial in Confidence
Audit Trail Functional Specification
FUJ00002254
FUJ00002254
EPOS Service (EPOSS) including Debit Card (DC)
Automated Payment Service (APS) including Additional Data Capture (ADC) and AP OutPay
(APOP)
Logistics Feeder Service (LFS)
Network Banking Service (NBS)
Smart Post
Bureau de Change (BdC) including the use of Debit & Credit Cards, Automatic Remittance
Advice and Authorisation Referrals.
Electronic Top-up (ETU)
National Savings and Investments (NS&I)
Branch network providing connectivity to the Data centres
Branch Access Layer / Branch database
Central servers
(PostO ffice Ltd Client systems) ) )
UN (oo ae
LJ
—_—
ter
ih
y
Count
Figure B: Principal components of the Strategic Infrastructure Service
The Horizon Service also contains a telephony interface to callers and interfaces to
Systems Management functions (not illustrated).
Figure B shows the Horizon Service components with the same interfaces remapped
appropriately.
1.1.4 Other Post Office Ltd Clients
Figure C shows the relationship between the Horizon Service and other Post Office Ltd
Client systems. These client systems comprise both those that belong to the Post
© Copyright Fujitsu Services
Limited 2010
Commercial in Confidence
UNCONTROLLED IF PRINTED OR LOCALLY
STORED
CR/FSP/006
12.0
08-Oct-2010
12 of 23
FUJ00002254
FUJ00002254
Audit Trail Functional Specification
fee)
FUJITSU Commercial in Confidence
1.1.4.1
Office Ltd organisation itself and those, which belong to Post Office Ltd’s commercial
Clients, such as utilities and high street banks.
Post Office
Lid Client
(Post Office
Lid)
Post Office Ltd
Gients
Figure C: Other Post Office Ltd Clients
Post Office Ltd In-house Systems
The Post Office Ltd systems that interface to the Post Office Ltd Horizon Service are:
Reference Data
SAP Advanced Distribution System (ADS) for Inventory Management (IM)
Post Office Limited Financial Systems
The stock and Branch trading Statements are also produced within each office on
paper. These signed paper records will, foreseeably, represent the fiduciary record of
the outlet’s business.
The Reference Data system is responsible for supplying transaction steering data to
Horizon. This data describes the relationships and properties of the data to be
processed (typing of regions, Post Office Ltd organisations, outlets, Clients, items for
sale, methods of payment, and transaction tokens); and the processing methods
(processing and validation rules, check digits, calendars, accounting collation
sequences, tax tables).
ADS is an on-line system but with a same-day level of response time. It handles
orders, secure stock returns, transfers and secure stock inventories, providing for
central control interfacing with Horizon’s Logistics Feeder Service (LFS)
AP Clients will have direct interfaces to Post Office Ltd for receiving files of payment
records generated by the Horizon Service.
© Copyright Fujitsu Services ‘Commercial in Confidence Ref: CR/FSP/006
Limited 2010
Version: 12.0
UNCONTROLLED IF PRINTED OR LOCALLY Date: 08-Oct-2010
STORED PageNo: 13 of 23
FUJ00002254
FUJ00002254
Audit Trail Functional Specification
he)
FUJITSU Commercial in Confidence
1.1.4.2 Post Office Ltd Client Systems
This level of specification does not define the audit facilities to be made available to the
audit departments of Post Office Ltd’s Automated Payment commercial Clients. These
facilities will be negotiated between Post Office Ltd and the Client as part of the AP
Migration Plan Interface specification for each Client. It has been decided by Post
Office Ltd that such Client systems will NOT access the Post Office Ltd Horizon Service
directly to provide customer and payment scheme reference data (transaction steering
data). Such data will be passed through the Post Office Ltd Reference Data system.
1.2 Audit Trail Responsibilities and Usage
1.2.1 Responsibilities
1.2.1.1 Tracks and Trails
In the description below use is made of the terms audit track and audit trail. An audit
track is a record of activities made within a Horizon subsystem for one or more of its
interfaces. An audit trail is one or more such tracks. The data recorded in a trail’s
several tracks may represent the treatment of related transfers and processing.
In general it is possible to produce an audit track for an interface on either side of that
interface, or, if the interface is itself problematic, on both sides.
It is of course a matter for Post Office Ltd and Post Office Ltd Clients to produce their
own audit tracks on their sides of the interfaces to Horizon.
1.2.1.2 TWO Tracks
The Horizon audit trail is based upon files representing the single main audit track
representing the traffic running through the Horizon solution, the Post Office Ltd
Horizon Service. This system is RMG BU’s operational responsibility and its operating
interfaces are also under its control.
As discussed above, a second audit track represents the systems management
operation of the Horizon system itself.
1.2.2 Principles, Agents and Rights of Access
The underlying policy for access control is defined in the Access Control Policy —
SVM/SDM/POL/0027 (ACP) and the HNG-X Technical Security Architecture —
ARC/SEC/ARC/0003.
An Agent may carry out a particular audit for Post Office Ltd or by Post Office Ltd
themselves. The Agents that are permitted are defined in Schedule D5.
Horizon provides for rights of access for individual roles and enforces these rights of
access. Changes to these rights is via Change Control.
© Copyright Fujitsu Services Commercial in Confidence Ref: CR/FSP/006
Limited 2010
Version. 12.0
UNCONTROLLED IF PRINTED OR LOCALLY Date: 08-Oct-2010
STORED
PageNo: 14 of 23
FUJ00002254
FUJ00002254
Audit Trail Functional Specification
he)
FUJITSU Commercial in Confidence
1.2.3 Access controls
Access controls are effected through the use of roles. There are two auditor roles: Post
Office Ltd Emergency Manager/auditor and Post Office Ltd Auditor. These roles and
the functions that they may perform are further defined in document HNG-X Menu
Hierarchy and Messages DES/GEN/SPE/0007.
1.2.4 Post Office Ltd Usage
Post Office Ltd Audit functions has access to the Post Office Ltd Horizon Service audit
track and the Systems Management track
1.2.5 Post Office Ltd Client Usage
Post Office Ltd Client Audit functions will have access to those parts of the Post Office
Ltd Horizon Service track relating to that Client and subject to the Client’s contract with
Post Office Ltd (subject to paragraph 1.2.3 above)
1.2.6 Audit trail formats
1.2.6.1 Native Formats
The principle followed is that Horizon originates the audit track source data in flat files.
The format in which the Counter Transaction journal is written by Horizon operational
software is that used as input to the utilities that prepare the bulk extracts for the audit
authorities. That is, the native flat format is the operational format Subsets of the
Counter Transaction journal represent the data transferred to ADS and Post Office Ltd
Clients, and from RD, ADS, possibly Post Office Ltd Clients.
The native format of the flat files containing the data transferred between subsystems
is described in file headers. They are therefore self-describing at the file level. See
Host Application Database Design and Interface Standards - DES/GEN/STD/0001
(HADDIS).
The logs of file transfers (control files) are in one simple format.
1.2.6.2 Custom Formats
The Counter Transaction journal native flat format is not to be further transformed.
Custom formats for other audit files may be specified at a later level of specification.
Transfer is by CDROM.
As a principle, the less transformation the better, since this preserves more of the
original raw data and removes the need to qualify and maintain transforming software.
1.2.7 Audit trail retention periods
Schedule B3.2 establishes the retention periods for the Operational and Commercial
Audit Trails. These are, for the Counter Transaction Journal element of the operational
audit trail, and other operational support and system management elements relating to
© Copyright Fujitsu Services Commercial in Confidence Ref: CR/FSP/006
Limited 2010
Version. 12.0
UNCONTROLLED IF PRINTED OR LOCALLY Date: 08-Oct-2010
STORED
PageNo: 15 of 23,
FUJ00002254
FUJ00002254
Audit Trail Functional Specification
2
FUJITSU
Commercial in Confidence
financial systems, 7 years. For other operational systems18 months, and for the
Commercial Audit Trail 7 years or contract duration, whichever may be longer.
Operational Audit Data may be retained beyond the specified retention period if it is
required to support an ongoing Post Office Ltd Investigation, or Litigation Support by
RMG BU, as described in the CCD Security Management Service: Service Description-
SVM/SDM/SD/0017.
Certain archived data such as EPOSS administration functions, which contain dated
internal references, will itself have an implied longevity of more than 18 months.
2 ~ The Audit Tracks
2.1 Post Office Ltd Horizon Service Audit Track
Sa
Figure D: The Post Office Ltd Horizon Service track
2.1.1 Post Office Ltd Horizon Service Track Content And Maintenance
The Post Office Ltd Horizon Service audit track comprises:
e the Counter Transaction journal
and those Post Office Ltd files exchanged between the Horizon data centres:
¢ the Horizon System Help Desk files
« Post Office Ltd’s own systems’ files
¢ AP Client files
¢ Debit Card payment and error files
Any other intermediate file or table constructs do not form part of the track.
© Copyright Fujitsu Services
Commercial in Confidence Ref: CR/FSP/006
Limited 2010
Version: 12.0
UNCONTROLLED IF PRINTED OR LOCALLY Date: 08-Oct-2010
STORED
PageNo: 16 of 23
FUJ00002254
FUJ00002254
Audit Trail Functional Specification
Fe)
FUJITSU
Commercial in Confidence
2.1.1.1. Counter Transaction Journal
The audit archive of the Counter Transaction journal is taken daily by copying all new
messages to audit archive media.
The Counter Transaction journal comprises records appended to the journal of each
outlet. The Counter Transaction journal contains the original transaction details,
including its origin, when it happened, who caused it to happen, and the outcome.
2.1.1.2 Post Office Ltd Systems
These comprise:
« Those at the RD and SAPADS interfaces holding control records describing files being
transferred
e There is no systematic value in holding separate audit copies of the raw data
transferred across these interfaces with Counter Transaction because this is what the
Counter Transaction journal itself represents and because the SAPADS transfers are
selective extracts of it.
2.1.1.3 AP Client Systems
This comprises the various AP Client interfaces holding control records describing files
being transferred.
2.1.2 Audit Access to the Post Office Ltd Horizon Service Track
Logical audit access will be provided as follows:
2.1.2.1. Counter Transaction Journal Access at the Outlet
Views of the transactions that have taken place within a whole post office during the
recent past are available from any counter or back office position within a post office,
subject to the Post Office Ltd Auditor having appropriate access rights. The term
“transactions” here embraces both the serving of customers and EPOSS administration
events. The journal is also used to carry certain Horizon control sequences. These are
of no intrinsic interest to auditors but their retention within the message numbering
means that auditors can be sure there are no missing records.
2.1.2.2 I Counter Transaction Journal Access at the Data Centre
Counter Transaction journal data is maintained within the Branch database in the
Horizon Data Centres. Audit records are written to audit archive media. They are
presented in exactly the same way as recent records when retrieved although will be
subject to filters appropriate to the selection and the audit authority for which the
selection is being made. Archive records will take a longer time to retrieve, the retrieval
time being in proportion to the volume requested.
If and when the Counter Transaction service provider changes, then the Counter
Transaction journal will be transferred to the new provider as part of the transfer
© Copyright Fujitsu Services Commercial in Confidence Ref: CR/FSP/006
Limited 2010
Version. 12.0
UNCONTROLLED IF PRINTED OR LOCALLY Date: 08-Oct-2010
STORED
PageNo: 17 of 23,
FUJ00002254
FUJ00002254
Audit Trail Functional Specification
he)
FUJITSU Commercial in Confidence
agreement. Apart from the longevity of data retention and the associations of data with
post offices, these views are equivalent to those taken in the post office. Itis
understood that the vast majority of Post Office Ltd audits will be conducted within the
post offices, with resort to the Data centre server views only where the outlet views are
not available (denial, destruction) or, of course, where the historical record is required.
Schedule B3.2 specifies that the audit trail shall be maintained and retained by RMG
BU and protected by security measures.
2.1.3 Auditor Utilities
2.1.3.1 Interactive Access
Facilities available to Auditor roles within a Post Office are defined in document HNG-X Menu
Hierarchy and Messages DES/GEN/SPE/0007.
2.1.3.2 Bulk Access Using Keys
Bulk access is provided via the Horizon Data Centres only. A utility is provided to
produce bulk selections according to the role of the auditor and in the custom magnetic
format specified by the audit authority to which he belongs. Post Office Ltd Client audit
authorities may require different formats from those used by Post Office Ltd but RMG
BU proposes that they be required to use the Horizon native flat format directly.
Clearly, subject to the terms of Post Office Ltd’s contract with a Post Office Ltd Client,
the data accessed will be limited to that pertaining to that Client.
Retrieving Operational Audit Data in support of Post Office Ltd requests is described in
the CCD Security Management Service: Service Description - SVM/SDM/SD/0017.
In the event that the audit function requires direct, personal and extempore access to
the actual Counter Transaction operational journal then this access will be supervised
by RMG BU staff.
2.2 Systems Management Track
2.2.1 Systems Management Track Content and Maintenance
The track is made up of audit events for the particular domain in question. Within
these domains events are collected by Tivoli Agents and transformed into Tivoli Events.
In the Horizon solution all events that are deemed significant are transferred to the
Tivoli Collection Layer. From there the events are written to serial files as an audit trail.
Event data sources within the Horizon solution comprise:
« Counters in the Branch estate
¢ The Branch Router
¢ Data centre platforms and appliances from sources such as SNMP, Oracle,
Cisco, text files, Windows Event Logs, Syslog etc.
Tivoli provides extensive event management facilities including central display, sorting
and filtering before viewing, for example, all operations initiated by a particular
© Copyright Fujitsu Services Commercial in Confidence Ref: CR/FSP/006
Limited 2010
Version. 12.0
UNCONTROLLED IF PRINTED OR LOCALLY Date: 08-Oct-2010
STORED
PageNo: 18 of 23,
FUJ00002254
FUJ00002254
Audit Trail Functional Specification
fee)
FUJITSU Commercial in Confidence
operator. These facilities are accessed via desktop applications available to the Fujitsu
Services Systems Management functions.
These Tivoli Events are extracted from the Tivoli Oracle database and archived using
the standard Archive Service. Archiving is in Comma Separated Variable (CSV)
format.
2.2.2 Audit Access to the Systems Management Track
2.2.2.1 Interactive Access
Archived data may be restored from CSV format and viewed using native facilities.
2.2.2.2 Bulk Access
This will be facilitated as follows:
>» The Tivoli events will be archived daily
>» Analysis can be either by Notepad-type browsing the archive file or by importing
from CSV format into a database or editor of choice.
© Copyright Fujitsu Services Commercial in Confidence Ref: CR/FSP/006
Limited 2010
Version. 12.0
UNCONTROLLED IF PRINTED OR LOCALLY Date: 08-Oct-2010
STORED
PageNo: 19 of 23,
FUJ00002254
FUJ00002254
Audit Trail Functional Specification
he)
FUJITSU Commercial in Confidence
3 The Commercial Audit Trail
The commercial audit trail is defined to comprise material, held in either magnetic forms
or definitively on paper, to which Post Office Ltd has access.
3.1 Magnetic Records
These comprise copies of certain Operational Support records that Post Office Ltd
receive as part of the Service, and those parts of RMG BU’s internal commercial
records to which Post Office Ltd have access.
The track making up the magnetic commercial audit trail is the Business Incident
Management System (BIMS)
3.1.1 Business Incident Management System (BIMS)
BIMS is freestanding from the mainstream Horizon Solution. It is a record of the
activities undertaken by the RMG BU Customer Service Management Support Unit to
make necessary adjustments to transactions, typically to effect accurate reconciliation.
3.1.1.1. Data Retention Requirements
Schedule B3.2 establishes the retention periods for the Operational and Commercial
Audit Trails. These are, for the Counter Transaction Journal element of the Operational
Audit Trail 7 years and 18 months for all other elements, and for the Commercial Audit
Trail 7 years or contract duration which may be longer.
For these purposes BIMS is deemed to be part of the Operational Audit Trail.
3.1.1.2 Audit Access to Operational Support Records
Access is obtained via the procedures contained within the HSAM.
3.2 Manual Records
These comprise RMG BU records that are held definitively on paper to which Post
Office Ltd have access.
3.2.1 Included Items
The scope of this list is restricted to items of significance to Post Office Ltd.
3.2.1.1 Invoicing
System Overview
All invoices raised under the Agreement are processed through the Fujitsu Services
Oracle Financial System.
© Copyright Fujitsu Services Commercial in Confidence Ref: CR/FSP/006
Limited 2010
Version. 12.0
UNCONTROLLED IF PRINTED OR LOCALLY Date: 08-Oct-2010
STORED
PageNo: 20 of 23,
FUJ00002254
FUJ00002254
Audit Trail Functional Specification
Fe)
FUJITSU
Commercial in Confidence
Schematic
The following diagram shows the main data flows within the Invoicing process.
I Message Contract I I I
Sta ose ‘Additional
} Broadcast Sehedie a 2
Credits eee _ Activity crs
‘Generale invoice
‘Supporting
Evidence
FINANCIAL
SYSTEM
I FS ORACLE
laman-17.ins
Data Input Streams
Contractual Data
Operating Fee during operating period.
SI Commitment Fee during period.
CCN Service at Annex D to Schedule D1
Manual Data
Debit Instructions from BIMS.
Credit Instructions from BIMS.
© Copyright Fujitsu Services Commercial in Confidence Ref: CR/FSP/006
Limited 2010
Version. 12.0
UNCONTROLLED IF PRINTED OR LOCALLY Date: 08-Oct-2010
STORED
PageNo: 21 of 23
FUJ00002254
FUJ00002254
Audit Trail Functional Specification
Fe)
FUJITSU
Commercial in Confidence
These are manual notifications that are applied to the Invoice during its production
cycle. (There is, currently, no identified occurrence that might cause a BIMS Instruction
to be raised but it is included for completeness.)
Additional CCNs (Monthly)
OBC Invoice (Quarterly) — Annex B to Schedule D1
Message Broadcast (Monthly)
SLA Credits (Monthly) - Schedule C1 and relevant Service Descriptions Additional
CTs executed by CORE along with corresponding Credit Note for any CORE already
pre-paid through SI Commitment Fee.
Property Charges
Availability Fee
Changes to Contractual Data
Changes to any element of the Contractual data can only be achieved through formal
negotiation between the two parties.
Output Stream
The invoicing suite of documents consists of the following :
¢ Sl Commitment Fee Invoice
¢ Operating Fee Invoice
¢ Credit Note for service credits.
¢ Credit Note for CORE already pre-paid through SI Commitment Fee.
Data Retention Req ments
Schedule 3.2 establishes the retention periods for the Commercial Audit Trails as 7
years or contract duration which may be longer..
3.2.1.2 Change Control Documentation
Change Control is an agreed process, through which changes to Horizon are defined,
notified, impacted and costed, authorised and controlled. Documentation that falls into
this group include :
e Change Requests (CR)
e Change Proposals (CP)
¢ Commercial Terms (CT)
e¢ Commercial Terms Signature Sheet (CTSS)
¢ Change Control Notes (CCN)
« Request for Work Package (RWP)
e Change Work Package (CWP)
© Copyright Fujitsu Services Commercial in Confidence Ref: CR/FSP/006
Limited 2010
Version. 12.0
UNCONTROLLED IF PRINTED OR LOCALLY Date: 08-Oct-2010
STORED
PageNo: 22 of 23,
FUJ00002254
FUJ00002254
Audit Trail Functional Specification
he)
FUJITSU Commercial in Confidence
e Documents that are output from the process and which represent the audit trail
of proposed changes and their outcome form part of the Commercial Audit Trail.
e Retention: Contract life or seven years whichever is the greater.
3.2.1.3 Special Assistance Invoices
Schedule E enables RMG BU to charge for costs incurred in assisting Post Office Ltd
with audit activities following contract termination. Records relating to time spent and
expenses will be maintained on a case by case basis.
Retention: Contract life or seven years whichever is the greater.
3.2.1.4 Development Activity Invoices
Where development activities are entered into under the terms of the revised contract
invoicing will be in accordance with Schedule D1.
Retention: Contract life or seven years whichever is the greater.
3.2.1.5 Contracts with Sub-Contractors
Access is limited to contractual and service related arrangements.
Retention: Contract life or seven years whichever is the greater.
3.2.2 Excluded Items
The following items are outside the scope of ‘Records’ as defined in Schedule 1:
e Financial arrangements with RMG BU sub-contractors.
e Financial and employment arrangements with RMG BU employees, both direct
and contract.
« The RMG BU Business Case.
e General accounting information including funding.
e Reports from and to Fujitsu Services HQ or Fujitsu Group, Japan.
There may be other documents or records that are subsequently added to this list.
3.2.3 Caveats
There are two caveats that apply to the above lists:
e Special access to records not identified as ‘included’ may be granted on a case-
by-case basis, subject to request and approval at the appropriate level.
e The scope of access to records identified as ‘included’ must be agreed as part
of agreeing the terms of reference for an audit. If records and/or documents are
identified during an audit that were not included in the original terms of
reference, RMG BU Internal Audit will facilitate the release of these records
and/or documents through the appropriate channels subject to the records not
being on the ‘Excluded’ list.
© Copyright Fujitsu Services Commercial in Confidence Ref: CR/FSP/006
Limited 2010
Version. 12.0
UNCONTROLLED IF PRINTED OR LOCALLY Date: 08-Oct-2010
STORED
PageNo: 23 of 23